CVE-2026-55892
Analyzed Analyzed - Analysis Complete

Stack Out-of-Bounds Write in Vim Text Editor

Vulnerability report for CVE-2026-55892, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vim vim to 9.2.0662 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55892 is a stack out-of-bounds write vulnerability in the Vim text editor versions prior to 9.2.0662. It occurs in the dump_prefixes() function within src/spell.c, which iteratively walks a spell-file prefix trie using a depth counter. This counter is not checked against the fixed size of the stack arrays it indexes (prefix[], arridx[], curi[]), each limited to 254 elements (MAXWLEN).

A specially crafted .spl file can exploit this by forcing the depth counter beyond the array limits, causing writes past the end of these arrays. This corrupts the call stack and crashes the editor. The vulnerability is triggered when a user enables spell checking and dumps the word list, for example via the :spelldump command.

The issue can be exploited by delivering a malicious spell file through repositories or archives that Vim loads based on spelllang, spellfile, or runtimepath settings. The vulnerability was fixed in Vim patch version 9.2.0662 by limiting the depth counter to prevent out-of-bounds writes.

Impact Analysis

This vulnerability can cause the Vim editor to crash due to stack corruption when processing a maliciously crafted spell file. The impact is primarily on availability, as the editor becomes unstable and unusable during the exploit.

The attack requires local access and user interaction, such as opening or dumping a word list with a malicious .spl file. There is no impact on confidentiality or integrity, but the denial of service caused by the crash can disrupt workflows.

Detection Guidance

This vulnerability is triggered when a user enables spell checking in Vim and performs a word list dump using the :spelldump command or spelling completion. Detection involves checking if Vim is running a vulnerable version prior to 9.2.0662 and if any maliciously crafted .spl files are loaded.

To detect exploitation attempts or presence of the vulnerability, you can monitor for crashes of the Vim editor during spell checking or word list dumping operations.

Suggested command to test if your Vim is vulnerable: open Vim and run the command :spelldump. If Vim crashes or behaves unexpectedly, it may be vulnerable or exposed to crafted .spl files.

Additionally, verify the Vim version installed by running: vim --version. Versions prior to 9.2.0662 are vulnerable.

Mitigation Strategies

The primary mitigation step is to update Vim to version 9.2.0662 or later, where the vulnerability has been fixed.

Avoid loading or using untrusted or maliciously crafted .spl spell files, especially those obtained from unverified repositories or archives.

Limit user interaction with potentially malicious spell files by restricting access to spell checking features or disabling spell file dumping commands until the update is applied.

Compliance Impact

The vulnerability in Vim (CVE-2026-55892) causes a stack out-of-bounds write that can crash the editor, impacting availability. However, there is no information provided that links this vulnerability to data breaches, unauthorized data access, or exposure of personal or sensitive information.

Since the vulnerability primarily affects availability and requires local access and user interaction without privilege escalation, it does not directly imply non-compliance with standards like GDPR or HIPAA, which focus on confidentiality and integrity of personal data.

Therefore, based on the provided information, this vulnerability does not have a direct impact on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55892. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart